Password Policy


Password Policy is a Policy that governs the Password within a system.

Typically there are two major areas that should be covered:

Draft-behera-ldap-password-policy even though it is an expired Internet Draft is still the "de facto" standard.

LDAP and Password Policy#

The typical LDAP Server Implementation Password Policy provides a mechanism for controlling how passwords will be stored and maintained in the server, and how users will be allowed to authenticate.

The "industry standard" many LDAP Server Implementations use, at least to some degree, the draft-behera-ldap-password-policy

Typical Elements of a Password Policy include:

  • The attribute used to store user passwords. By default, this is the userPassword attribute.
  • The default set of Password Storage Scheme that will be used to encrypt passwords within a Data Store.
  • A set of deprecated Password Storage Scheme that may be used to authenticate users, but will cause the password to be re-encoded using the default scheme(s) upon a successful bind Request.
  • A flag that indicates whether users will be allowed to perform a Password Change.
  • A number of settings related to Password Expiration, including the maximum age for passwords, warnings before expiration, and whether users will be allowed to change their passwords after they expire.
  • A number of settings related to Intruder Detection, which can be used to prevent users from authenticating after too many failed attempts.
  • Flags that indicate Password Periodic Changes and/or whether they will be required to change their following a Password Reset
  • A set of Password Validator that can be used to determine whether proposed new password values are acceptable for use.
  • A flag that indicates whether users will be required to provide their current passwords to be allowed to perform a Password Change
  • A flag that indicates whether clients will be allowed to specify new passwords that have already been encoded using one of the password storage schemes defined in the server. Allowing pre-encoded passwords may be necessary for some applications, but may allow the user to bypass certain restrictions, like Password Validators, that might otherwise be enforced.
  • Settings related to maintaining the Last Login Time, including the attribute to use to store its value, the format to use for the time stamp, and whether to lock an account after too much time has elapsed without authenticating.
  • Flags that control whether the user will be required to authenticate in a secure manner and/or whether they will be required to perform Password Change in a secure manner.

Edirectory Password Policy#

We have some specific information on the Edirectory Password Policy.

Microsoft Active Directory Password Policy#

Microsoft Active Directory Password Policy is controlled by either: Either solutions has the same list of constraints, such as PasswordMinimumLength and Max-Pwd-Age Attribute but the implementation is different.

More Information#

There might be more information for this subject on one of the following: